Researchers spotted a vulnerability in Guardzilla’s indoor surveillance system. Researchers say that the vulnerability could allow attackers to access users’ stored files or videos.
The bug was discovered during the 0DAYALLDAY research event at the end of September and was reported to Guardzilla the following month. The researchers confirmed that the security flaw in the smart home security system was caused due to a firmware issue.
Researchers from Rapid7 spotted a vulnerability in Guardzilla’s home security video camera. They discovered that all of the security cameras use the same hardcoded keys and that it was easy for the attackers to hack passwords by exploiting the bug.
Guardzilla used an Amazon S3 bucket to store customer data that was captured by their security cameras. Researchers noted that accessing these S3 storage credentials is trivial for a moderately skilled hacker. They also said that the vulnerability in Guardzilla’s wireless security surveillance system could allow attackers to access and view any other user’s video footage, downloaded from their account.
“We’ve tried several avenues to get in touch with Guardzilla, but they have not acknowledged the report,” said Tod Beardsley, Research Director at Rapid7.
“They could update the keys and update the firmware, but that just means they’ll be rediscovered again by the same techniques. The only way I can think of to fix this completely is to change the keys, stand up a proxying service and update the firmware to use this proxying service with unique-per-device accounts,” Beardsley told TechCrunch.